Ubuntu
libvirt package

  1. Bug #1677398
  2. Comment #0

Comment 0 for bug 1677398

Revision history for this message
Simon Déziel (sdeziel) wrote : Apparmor prevents using ZFS storage pools

Apparmor prevents qemu-kvm guests from using ZFS volumes.

[Impact]
* ZFS storage pools are not usable.

[Test Case]
0) Create a zpool (system specific so not documented here)
1) Create a ZFS storage pool (named like your zpool, "internal" here)
  virsh pool-define-as internal zfs
  virsh pool-start internal
2) Create a volume
  virsh vol-create-as internal foo 2G
2) Create a KVM guest
4) Edit the guest's XML profile to use the ZFS volume (zvol)
    <disk type='volume' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source pool='internal' volume='foo'/>
      <target dev='vda' bus='virtio'/>
    </disk>
5) Start the guest

The guest refuses to start:

  # virsh start nms
  error: Failed to start domain foo
  error: internal error: process exited while connecting to monitor: 2017-03-29T22:07:31.507017Z qemu-system-x86_64: -drive file=/dev/zvol/internal/foo,format=raw,if=none,id=drive-virtio-disk0,cache=none: Could not open '/dev/zvol/internal/foo': Permission denied

dmesg reveals the culprit:

apparmor="DENIED" operation="open" profile="libvirt-988a8c25-5190-4762-8170-55dc75fc66ca" name="/dev/zd224" pid=23052 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=109 ouid=109
apparmor="DENIED" operation="open" profile="libvirt-988a8c25-5190-4762-8170-55dc75fc66ca" name="/dev/zd224" pid=23052 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=109 ouid=109

Checking /etc/apparmor.d/libvirt/libvirt-$UUID.files shows that no "/dev/zdXX" has been added.

[Additional info]

# lsb_release -rd
Description: Ubuntu 16.04.2 LTS
Release: 16.04

# apt-cache policy libvirt-bin apparmor linux-image-generic
libvirt-bin:
  Installed: 1.3.1-1ubuntu10.8
  Candidate: 1.3.1-1ubuntu10.8
  Version table:
 *** 1.3.1-1ubuntu10.8 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.3.1-1ubuntu10 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
apparmor:
  Installed: 2.10.95-0ubuntu2.5
  Candidate: 2.10.95-0ubuntu2.5
  Version table:
 *** 2.10.95-0ubuntu2.5 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.10.95-0ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
linux-image-generic:
  Installed: 4.4.0.70.76
  Candidate: 4.4.0.70.76
  Version table:
 *** 4.4.0.70.76 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     4.4.0.21.22 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu10.8
ProcVersionSignature: Ubuntu 4.4.0-70.91-generic 4.4.49
Uname: Linux 4.4.0-70-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
Date: Wed Mar 29 17:48:06 2017
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.default.libvirt-guests: [modified]
modified.conffile..etc.libvirt.qemu.conf: [modified]
modified.conffile..etc.libvirt.qemu.networks.default.xml: [modified]
mtime.conffile..etc.default.libvirt-guests: 2016-08-29T21:09:57.632048
mtime.conffile..etc.libvirt.qemu.conf: 2017-03-29T17:26:03.924234
mtime.conffile..etc.libvirt.qemu.networks.default.xml: 2016-04-23T19:24:13.505208